Privacy commissioner’s office approves hand and thumbprint scanners with strict limits to track shifts
Employers looking to use biometric scanners to track employees’ hours of work can feel a little more comfortable after two investigations by the Alberta Information and Privacy Commissioner found them to be acceptable, with certain conditions.
An employee at the Southwood Care Centre, a Calgary nursing home, complained to the commissioner when her employer implemented a hand recognition scanning system for employees to clock in and out of work. The system scanned the hand, recorded various measurements and assigned a mathematical value for those measurements. An employee identification number was associated with the numerical value and employees scanned their hand and punched in their number when they arrived and left work.
The system was connected to the payroll system and kept track of arrival and departure times. The employee was concerned the recording of her handprint was a privacy violation and believed the information stored in the system wasn’t properly protected. She filed the complaint in February 2008, seven months before Southwood planned full implementation of the system.
The officer who investigated the complaint agreed the value recorded in the system qualified as personal information under Alberta’s Freedom of Information and Protection of Privacy Act (FOIP), since even though the actual handprint wasn’t recorded, the unique number generated from it was assigned to an individual. Hand measurements are physical characteristics and can uniquely identify individuals, the officer said.
However, the officer found Southwood used the information to keep track of employees’ hours in the payroll system and compensate them accordingly. It was directly related to an “operating activity” of the business, in this case employee compensation. The information was also adequately protected, the officer found, with reasonable security measures. The hand scanning data was stored in a network server in a locked cage inside a locked room. The payroll information was protected by strong passwords, a firewall and an anti-virus service. Staff members were required to wear identification badges and visitors were accompanied at all times. There was also a receptionist at the office entrance.
Problems with old tracking system
Southwood was previously using a less-intrusive magnetic card system for employees to clock in and out, but there were problems with damaged and lost cards as well as “buddy-punching,” where employees sign in and out with other employees’ cards. This made it difficult to accurately keep track of employees’ hours.
The officer found Southwood had announced the new hand recognition system in newsletters in February 2007 and April 2008. However, many employees didn’t see the newsletters and as a result didn’t get proper notice of the collection of their handprint information.
The officer found it was necessary for Southwood to collect the information from the hand scanners for proper authentication of employees’ identities and maintenance of the payroll. It only collected the minimum information necessary to carry out this purpose and the information was well protected. However, it recommended Southwood post a notice at the workplace informing employees about the process when it was fully implemented.
Thumbprint scanning for nightclub workers
The Empire Ballroom, an Edmonton nightclub, decided to introduce a thumbprint sign-in system to track employees arriving and leaving from their shifts. It informed its employees in December 2007 that the system would be in place in March 2008. One employee, who started working at the Ballroom in January 2007, balked at the prospect of getting her thumb scanned, as she felt she wasn’t informed of how the information would be used and stored.
The employee asked for a copy of the Ballroom’s privacy policy but was told, “You work for me, I am your privacy policy.” Employees were told the system would be implemented at a March 2008 staff meeting and also, according to the Ballroom, individually when they were working. When the employee arrived for her shift two days later, she refused to submit her thumbprint. Midway through the shift, she was told to leave. She filed a complaint, saying the Ballroom didn’t properly inform her of how the information would be used, stored and protected, and that she was terminated for refusing to submit her thumbprint.
The privacy commissioner’s investigating officer found the system didn’t collect actual thumbprints, but rather digital representations of the thumbprints which consisted of measurements of unique attributes on the thumb. The representation was converted into a unique number that identifies the individual but can’t be reverse engineered to reconstruct the thumbprint. Because it was unique, identifying information about each employee, it still qualified as personal information.
Because the scanned information was used for attendance tracking and payroll purposes, it was directly related to managing the employment relationship and no other purpose.
Employees not told what would be collected
The officer found the Ballroom did notify the employee it would be collecting information and it was to replace the old sign-in system to track employee shifts. However, it didn’t clarify what specific personal information was being collected. The employee was under the impression her actual thumbprint was being collected and stored, while in actual fact it was a numerical identifier from which her thumbprint couldn’t be reconstructed.
“It is insufficient for an organization to notify individuals that something about them will be collected and used,” the officer said. “Notification must therefore include a description of what the information at issue is.”
Only in such a case can an employee give informed consent, the officer said. The officer found the Ballroom met the requirements of Alberta’s Personal Information Act (PIPA) in that it had reasonable purposes for collecting the thumbprint information related to running the business. It also collected only the information necessary to track the employees’ shifts. However, it didn’t meet PIPA’s requirements to properly inform employees of what information was going to be collected. It also failed to meet the requirement to supply the employee with privacy policy information on requests.
“There is an enhanced responsibility for organizations to explain not only the purposes for which personal information is being collected, but also what information about the individual is being collected,” the officer said.
The Empire Ballroom was ordered to notify employees in writing about what personal information was collected by the biometric sign-in system and how it would be used. It also had to include thumbprint templates in its privacy policy and provide all employees with copies of the revised policy. Otherwise, the use of the thumbprint scanner to track employee shifts was acceptable.
Employers must proceed carefully with biometrics
The Southwood and Empire Ballroom investigations both determined biometric scanning systems were acceptable for tracking employee shifts, as long as they were justified, only the necessary information was collected and employees were properly informed of the details. However, the officer in each case urged employers to tread carefully or risk upsetting the balance between business interests and employee privacy.
“This does not represent a ‘privacy carte blanche’ for public bodies to implement biometric systems,” the officer in the Southwood case said. “Public bodies need to demonstrate their use of these systems is necessary under FOIP.”
For more information see:
•Office of the Information and Privacy Commissioner of Alberta Investigation Report F2008-IR-001 (Aug. 7, 2008), Brian Hamilton – Portfolio Officer.
•Office of the Information and Privacy Commissioner of Alberta Investigation Report P2008-IR-005 (Aug. 27, 2008), Preeti Adhopia – Portfolio Officer.
An employee at the Southwood Care Centre, a Calgary nursing home, complained to the commissioner when her employer implemented a hand recognition scanning system for employees to clock in and out of work. The system scanned the hand, recorded various measurements and assigned a mathematical value for those measurements. An employee identification number was associated with the numerical value and employees scanned their hand and punched in their number when they arrived and left work.
The system was connected to the payroll system and kept track of arrival and departure times. The employee was concerned the recording of her handprint was a privacy violation and believed the information stored in the system wasn’t properly protected. She filed the complaint in February 2008, seven months before Southwood planned full implementation of the system.
The officer who investigated the complaint agreed the value recorded in the system qualified as personal information under Alberta’s Freedom of Information and Protection of Privacy Act (FOIP), since even though the actual handprint wasn’t recorded, the unique number generated from it was assigned to an individual. Hand measurements are physical characteristics and can uniquely identify individuals, the officer said.
However, the officer found Southwood used the information to keep track of employees’ hours in the payroll system and compensate them accordingly. It was directly related to an “operating activity” of the business, in this case employee compensation. The information was also adequately protected, the officer found, with reasonable security measures. The hand scanning data was stored in a network server in a locked cage inside a locked room. The payroll information was protected by strong passwords, a firewall and an anti-virus service. Staff members were required to wear identification badges and visitors were accompanied at all times. There was also a receptionist at the office entrance.
Problems with old tracking system
Southwood was previously using a less-intrusive magnetic card system for employees to clock in and out, but there were problems with damaged and lost cards as well as “buddy-punching,” where employees sign in and out with other employees’ cards. This made it difficult to accurately keep track of employees’ hours.
The officer found Southwood had announced the new hand recognition system in newsletters in February 2007 and April 2008. However, many employees didn’t see the newsletters and as a result didn’t get proper notice of the collection of their handprint information.
The officer found it was necessary for Southwood to collect the information from the hand scanners for proper authentication of employees’ identities and maintenance of the payroll. It only collected the minimum information necessary to carry out this purpose and the information was well protected. However, it recommended Southwood post a notice at the workplace informing employees about the process when it was fully implemented.
Thumbprint scanning for nightclub workers
The Empire Ballroom, an Edmonton nightclub, decided to introduce a thumbprint sign-in system to track employees arriving and leaving from their shifts. It informed its employees in December 2007 that the system would be in place in March 2008. One employee, who started working at the Ballroom in January 2007, balked at the prospect of getting her thumb scanned, as she felt she wasn’t informed of how the information would be used and stored.
The employee asked for a copy of the Ballroom’s privacy policy but was told, “You work for me, I am your privacy policy.” Employees were told the system would be implemented at a March 2008 staff meeting and also, according to the Ballroom, individually when they were working. When the employee arrived for her shift two days later, she refused to submit her thumbprint. Midway through the shift, she was told to leave. She filed a complaint, saying the Ballroom didn’t properly inform her of how the information would be used, stored and protected, and that she was terminated for refusing to submit her thumbprint.
The privacy commissioner’s investigating officer found the system didn’t collect actual thumbprints, but rather digital representations of the thumbprints which consisted of measurements of unique attributes on the thumb. The representation was converted into a unique number that identifies the individual but can’t be reverse engineered to reconstruct the thumbprint. Because it was unique, identifying information about each employee, it still qualified as personal information.
Because the scanned information was used for attendance tracking and payroll purposes, it was directly related to managing the employment relationship and no other purpose.
Employees not told what would be collected
The officer found the Ballroom did notify the employee it would be collecting information and it was to replace the old sign-in system to track employee shifts. However, it didn’t clarify what specific personal information was being collected. The employee was under the impression her actual thumbprint was being collected and stored, while in actual fact it was a numerical identifier from which her thumbprint couldn’t be reconstructed.
“It is insufficient for an organization to notify individuals that something about them will be collected and used,” the officer said. “Notification must therefore include a description of what the information at issue is.”
Only in such a case can an employee give informed consent, the officer said. The officer found the Ballroom met the requirements of Alberta’s Personal Information Act (PIPA) in that it had reasonable purposes for collecting the thumbprint information related to running the business. It also collected only the information necessary to track the employees’ shifts. However, it didn’t meet PIPA’s requirements to properly inform employees of what information was going to be collected. It also failed to meet the requirement to supply the employee with privacy policy information on requests.
“There is an enhanced responsibility for organizations to explain not only the purposes for which personal information is being collected, but also what information about the individual is being collected,” the officer said.
The Empire Ballroom was ordered to notify employees in writing about what personal information was collected by the biometric sign-in system and how it would be used. It also had to include thumbprint templates in its privacy policy and provide all employees with copies of the revised policy. Otherwise, the use of the thumbprint scanner to track employee shifts was acceptable.
Employers must proceed carefully with biometrics
The Southwood and Empire Ballroom investigations both determined biometric scanning systems were acceptable for tracking employee shifts, as long as they were justified, only the necessary information was collected and employees were properly informed of the details. However, the officer in each case urged employers to tread carefully or risk upsetting the balance between business interests and employee privacy.
“This does not represent a ‘privacy carte blanche’ for public bodies to implement biometric systems,” the officer in the Southwood case said. “Public bodies need to demonstrate their use of these systems is necessary under FOIP.”
For more information see:
•Office of the Information and Privacy Commissioner of Alberta Investigation Report F2008-IR-001 (Aug. 7, 2008), Brian Hamilton – Portfolio Officer.
•Office of the Information and Privacy Commissioner of Alberta Investigation Report P2008-IR-005 (Aug. 27, 2008), Preeti Adhopia – Portfolio Officer.